I just got a dependabot saying:
Bump three from 0.120.1 to 0.125.0
But does it test that this will not break my repo?
It would have to run both "build" and "test" in my package.json. And actually run all my demos to test that they have no errors in Chrome Dev Tools.
How do I test dependabot before merging config mentions a config but it seem pretty basic and the dependabot docs are pretty noisy!
Dependabot has some concept of compatibility score to ensure your confidence with the version bumps. But for many of the dependency updates, they lack of compatibility score as well.
Also, dependabot PRs are like regular PRs, which means you should have PR builds to ensure the compatibility on your own.
At last, technically speaking, the library maintainers should follow semver, so you only have to check with major upgrade PRs.
Don't trust Dependabot compatibility score too much, especially if it's unknown.
As a precaution layer, you can setup up GitHub action workflow or GitLab CI/CD pipeline that can be triggered on pull_request that checks dependencies compatibility and runs the required tests.
Related
I would like to hard-pin my NPM dependencies. "Hard-pinning" would mean that an automated process would check my dependency list for certain packages with certain versions and if a package has been locally upgraded, an custom error message should be shown (ideally, this should be integrated in a pre-push Git hook).
The reasons for wanting this behavior could be:
external dependencies (e.g. other teams integrating with your project, requiring certain versions)
broken or unwanted behavior because of certain issues (e.g. "wait until #124 is fixed")
known non-obvious migration effort for major upgrades
upgrade incompatibilities (e.g. newest version requires, but does not enforce, a newer peer dependency).
Normal pinning does not cut it in this case: it's trivial to update pinned packages anyway, comments do not work with package.json without extra effort and sometimes the reasons are too important not to be displayed explicitly.
How can I achieve such "hard-pinning"?
In our team we have a number of APIs specified using the Open API Specification (formerly Swagger). We use Maven and OpenAPI Generator to generate code, build and publish the artifact to our local nexus. We build our code on TeamCity. The artifact is given the version that is specified in the pom.xml file of Maven.
During development we only use snapshot versions, that is versions which can be overwritten and will be cleaned up. This is opposite to release versions, that cannot be overwritten and needs administrative privileges to clean up. The reason for this is, that a developer usually changes a little bit at the time, which is much more convenient with snapshot versions. This also makes cleaning up outdated unreleased artifacts much easier.
Our problem is, that from time to time a developer makes API changes but forgets to set a new version. This works fine locally, but when the code is build on TeamCity the changed API overwrites the artifact of an older version. A developer not working on this branch will then experience a compile error, because the code does not match the API artifact being used.
What does others do? Is there a best practice? Preferably with standard tools. We have tried many things and nothing works well. At the same time this issue is so basic that someone must have a good solution - or at least experience enough to point to the least bad solution.
Why akka.persistence is still having beta release on nuget packages. Does it imply it is still not stable and not good for used in production applications?
In Akka.NET in order to get out of prerelease, a package must meet multiple criteria, like:
Having full test suite up and running. In case of clustered plugins, this also includes multi-node tests.
Having a fixed API. There are dedicated API Approval tests ensuring, that no public API has been accidentally changed.
Having a battery of performance tests. While many of plugins are ready and usually fast without it, stress tests are needed in order to check if any of the merged pull requests didn't introduce any performance penalties.
Having all documentation writen and published.
While this is a lot, not all of these are necessary to make plugin functional. In case of Akka.Persistence there are minor changes (like deprecation of PersistentView in favor of persistence queries), but the plugin itself is production ready and used as such already. However maturity of persistent backend plugins, that are used underneat, may vary.
Akka.Persistence is stable now. You can download it by running following command in Package Manager Console
Install-Package Akka.Persistence
I consider to use Hexo (the static blog generator) based on npm. I wonder one thing, what if although one npm package (dependency) will not be longer available? Each package has its own author and it can cancel support or completely remove it from npm's repository at any time.
So what do I do if missing one of the npm package affect on running Hexo and consequently I'll not be able to generate my blog in the future?
Although this can happen (and happened at least once), it is not a serious problem ussually. While you will be waiting until somebody will fix the missing dependency (it take place quickly on popular packages like Hexo) you can use older working version. And if you want to be 100% sure, you can commit node_modules together with your web sources (see discussion here).
Python packages have best practices for documenting public API changes using CHANGES.txt (see an example). There are tools like zest.releaser which do automated package publish and release notes maintenance.
Do NPM packages have best practices for documenting changes a.k.a. ChangeLog? (or are people expected to make sense from Github history, etc.)
Does NPM package have automated tools for maintaining change log when doing NPM package publishing, so that release dates and version numbers would be recorded in ChangeLog?
I found npm-release script, but its functionality is limited to tagging and pushing out new NPM packages.
CHANGES.txt example from Python:
Changelog
=========
1.0.0-dev (Unreleased)
----------------------
- Added feature Z.
[github_userid1]
- Removed Y.
[github_userid2]
1.0.0-alpha.1 (2012-12-12)
--------------------------
- Fixed Bug X.
[github_userid1]
From what I have seen so far, people tend to build custom mini tools that would read the Git (or other VCS) history and output a changelog based on some internal conventions.
This is not specific to the Node.js world though.
There are actually a couple of Grunt plugins that might help you with that:
https://github.com/btford/grunt-conventional-changelog
https://github.com/ericmatthys/grunt-changelog
Grunt is one of the finest build tools out there. It's quite popular (until the next one?), and it can help you integrate this phase into your release process. We can easily imagine orchestrating the changelog task with the grunt-release plugin.
I don't have in mind any standalone tool or plugin that would allow you to do all that zest.releaser does out of the box (but that doesn't mean it does not exists).